The Tor network is by far the biggest volunteer run anonymous network on the planet. Since its launch, the network has witnessed thousands of relay nodes come and go, throughout the past 10 years. To deploy the onion routing protocol, all relay nodes maintain multiple RSA keys, the most essential of which are long term keys that never changes, and medium term keys that rotate periodically.

Relay nodes with weak cryptographic keys can undermine the security and privacy of Tor users. The degree of affection of Tor users relies on the type of keys that are vulnerable. In mild affection instances, the attacker succeeds only in compromising the TLS layer keys responsible for protection of Tor cells, which are chunks of data representing the flow of traffic across the circuit formed by Tor relay nodes. In severe affection instances, the attacker successfully compromises a relay’s long term key, or the “identity key”, allowing him/her to deceivingly impersonate this relay node. Accordingly, to heighten the security of Tor users, new methods are needed to quickly identify relay nodes with vulnerable keys to exclude them from the network, before they can be exploited by adversaries.

A group of researchers from Princeton University, tried to detect vulnerable and anomalous keys, via analyzing a publicly available dataset of 3.7 million public keys of the RSA type. They searched for shared prime numbers, non-standard RSA exponents and shared moduli. Interestingly enough, they discovered around 3,000 keys with shared prime numbers, that belong to a research project that was published in 2013. Ten relay nodes in the analyzed dataset shared the same modulus, which suggests manual interference with the process that generates the RSA keys. Moreover, the researchers discovered 122 relay nodes, with RSA exponents that were different from Tor’s hard coded exponents. They concluded that the greater proportion of these relay nodes were aimed at manipulating Tor’s distributed hash table (DHT) for the purpose of attacking onion domains. Even more, they deployed a special tool that emulates how onion domains are included in the DHT, which uncovered four onion domains that were mostly targeted by attackers.

The entities behind the incidents that were uncovered by the study are prominently diverse representing developers, researchers and malicious attackers who all took part in the process of generation of key anomalies. Via searching for information that relay nodes had in common, including similar IP address blocks, nicknames, port numbers and uptimes, the researchers managed to categorize the discovered relay nodes into clusters that were probably administrated by the same entities.

The researchers made all their source code and obtained data publically available, to enable third parties such as The Tor Project to monitor the keys of newly formed relay nodes and notify developers whenever generated keys are found to be non-standard or vulnerable. As such, Tor developers can react early and exclude these relay nodes from the network, before malicious attackers can exploit their key vulnerabilities.

Even though previous research studies analyzed the implications of vulnerable or anomalous RSA keys across various systems, this study represents the first ever study to analyze the influence of weak RSA keys on the security of Tor users. The study made two major contributions to the security of the Tor network:

1. It analyzed a dataset comprised of 3.7 million public keys of the RSA type in an attempt to discover weak, anomalous and/or non-standard keys, which revealed thousands of vulnerable keys.

2. It also described the features of the relay nodes discovered, showing that the greater percentage of these nodes were mostly run by a single entity, and revealing four onion domains that were mostly targeted by malicious attackers.

Continuous and periodic monitoring of relay’s keys is mandatory to maximize the security of users and help early discover and exclude relays with vulnerable or anomalous keys, so similar studies are needed to be conducted in the future.